Quick Start instructions to install and configure Istio in a Kubernetes cluster.
The following instructions require you have access to a Kubernetes 1.7.3 or newer cluster with RBAC (Role-Based Access Control) enabled. You will also need kubectl
1.7.3 or newer installed. If you wish to enable automatic injection of sidecar, you need to turn on Kubernetes alpha features in your cluster.
Note: If you installed Istio 0.1.x, uninstall it completely before installing the newer version (including the Istio sidecar for all Istio enabled application pods).
Install or upgrade the Kubernetes CLI kubectl to match the version supported by your cluster (version 1.7 or later for CRD support).
Depending on your Kubernetes provider:
To install Istio locally, install the latest version of Minikube (version 0.22.1 or later).
<cluster-name>
with the name of the cluster you want to use, and <zone>
with the zone where that cluster is located):gcloud container clusters get-credentials <cluster-name> --zone <zone> --project <project-name>
kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud config get-value core/account)
<cluster-name>
with the name of the cluster you want to use):$(bx cs cluster-config <cluster-name>|grep "export KUBECONFIG")
IBM Cloud Private version 2.1 or later
kubectl
CLI based on steps here for how to access the IBM Cloud Private Cluster.Openshift Origin version 3.7 or later
oc adm policy add-scc-to-user anyuid -z istio-ingress-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z default -n istio-system
oc adm policy add-scc-to-user privileged -z default -n <target-namespace>
Starting with the 0.2 release, Istio is installed in its own istio-system
namespace, and can manage micro-services from all other namespaces.
curl -L https://git.io/getLatestIstio | sh -
.yaml
files for Kubernetes in install/
samples/
istioctl
client binary in the bin/
directory. istioctl
is used when manually injecting Envoy as a sidecar proxy and for creating routing rules and policies.istio.VERSION
configuration file cd istio-0.4
istioctl
client to your PATH. For example, run the following command on a MacOS or Linux system: export PATH=$PWD/bin:$PATH
a) Install Istio without enabling mutual TLS authentication between sidecars. Choose this option for clusters with existing applications, applications where services with an Istio sidecar need to be able to communicate with other non-Istio Kubernetes services, and applications that use liveliness and readiness probes, headless services, or StatefulSets.
kubectl apply -f install/kubernetes/istio.yaml
OR
b) Install Istio and enable mutual TLS authentication between sidecars.:
kubectl apply -f install/kubernetes/istio-auth.yaml
Both options create the istio-system
namespace along with the required RBAC permissions, and deploy Istio-Pilot, Istio-Mixer, Istio-Ingress, Istio-Egress, and Istio-CA (Certificate Authority).
kubectl apply -f install/kubernetes/istio-initializer.yaml
istio-pilot
, istio-mixer
, istio-ingress
. kubectl get svc -n istio-system
NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingress 10.83.245.171 35.184.245.62 80:32730/TCP,443:30574/TCP 5h
istio-pilot 10.83.251.173 <none> 8080/TCP,8081/TCP 5h
istio-mixer 10.83.244.253 <none> 9091/TCP,9094/TCP,42422/TCP 5h
Note: If your cluster is running in an environment that does not support an external load balancer (e.g., minikube), the EXTERNAL-IP
of istio-ingress
says <pending>
. You must access the application using the service NodePort, or use port-forwarding instead.
istio-pilot-*
, istio-mixer-*
, istio-ingress-*
, istio-ca-*
, and, optionally, istio-initializer-*
. kubectl get pods -n istio-system
istio-ca-3657790228-j21b9 1/1 Running 0 5h
istio-ingress-1842462111-j3vcs 1/1 Running 0 5h
istio-initializer-184129454-zdgf5 1/1 Running 0 5h
istio-pilot-2275554717-93c43 1/1 Running 0 5h
istio-mixer-2104784889-20rm8 2/2 Running 0 5h
You can now deploy your own application or one of the sample applications provided with the installation like BookInfo. Note: the application must use HTTP/1.1 or HTTP/2.0 protocol for all its HTTP traffic because HTTP/1.0 is not supported.
If you started the Istio-Initializer, as shown above, you can deploy the application directly using kubectl create
. The Istio-Initializer will automatically inject Envoy containers into your application pods:
kubectl create -f <your-app-spec>.yaml
If you do not have the Istio-Initializer installed, you must use istioctl kube-inject to manuallly inject Envoy containers in your application pods before deploying them:
kubectl create -f <(istioctl kube-inject -f <your-app-spec>.yaml)
Uninstall Istio initializer:
If you installed Istio with initializer enabled, uninstall it:
kubectl delete -f install/kubernetes/istio-initializer.yaml
Uninstall Istio core components. For the 0.4 release, the uninstall deletes the RBAC permissions, the istio-system
namespace, and hierarchically all resources under it. It is safe to ignore errors for non-existent resources because they may have been deleted hierarchically.
a) If you installed Istio with mutual TLS authentication disabled:
kubectl delete -f install/kubernetes/istio.yaml
OR
b) If you installed Istio with mutual TLS authentication enabled:
kubectl delete -f install/kubernetes/istio-auth.yaml
See the sample BookInfo application.
See how to test Istio mutual TLS Authentication.